Description

ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.

Remediation

References

http://gms.cl0udz.com/Openconfig_xxe.pdf

https://gerrit.onosproject.org/#/c/18894/

Related Vulnerabilities

CVE-2021-31408 Vulnerability in maven package com.vaadin:flow-client

CVE-2020-8910 Vulnerability in npm package google-closure-library

CVE-2021-23414 Vulnerability in npm package video.js

CVE-2021-23388 Vulnerability in npm package forms

CVE-2022-24431 Vulnerability in npm package abacus-ext-cmdline

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Issue Tracking